Microsoft IIS 3.0/4.0"%81"ASP源码泄露漏洞(MS99-022)

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105482 漏洞类型 配置错误
发布时间 1999-06-24 更新时间 2005-10-12
CVE编号 CVE-1999-0725 CNNVD-ID CNNVD-199908-032
漏洞平台 Windows CVSS评分 7.1
|漏洞来源
https://www.exploit-db.com/exploits/19361
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199908-032
|漏洞详情
IIS是一个非常流行的InternetWeb服务器产品,随WindowsNT捆绑销售。中文版、日文版、韩文版等双字节语言版本的IIS3.0和4.0存在一个问题,在HTTP请求中CGI文件名后面加上"%81"就可以显示出文件的源代码,而不是执行。该问题是一个输入验证错误。IIS是通过文件扩展名来决定将一个文件内容直接显示出来还是作为脚本执行的。对于asp文件,如果请求中的扩展名是".asp"那么IIS可以正确处理。如果将扩展名后面加一个"%81",IIS将不认为这是一个ASP文件,也就不会执行。但是文件系统会忽略文件名后的"%81",可以正确找到文件。
|漏洞EXP
source: http://www.securityfocus.com/bid/477/info


This vulnerability could allow a web site viewer to obtain the source code for .asp and similar files if the server's default language (Input Locale) is set to Chinese, Japanese or Korean. How this works is as follows:

IIS checks the extension of the requested file to see if it needs to do any processing before delivering the information. If the requested extension is not on it's list, it then makes any language-based calculations, and delivers the file. If a single byte is appended to the end of the URL when IIS to set to use one of the double-byte language packs (Chinese, Japanese, or Korean) the language module will strip it as invalid, then look for the file. Since the new URL now points to a valid filename, and IIS has already determined that this transaction requires no processing, the file is simply delivered as is, exposing the source code. 

Request a URL of a known-good file that requires server processing, then append a hex value between x81 and xfe to the URL. For example: <http://myhost/main.asp%81>. If your server is vulnerable you will receive back the source code of your .asp file.
|参考资料

来源:XF
名称:iis-double-byte-code-page(2302)
链接:http://xforce.iss.net/xforce/xfdb/2302
来源:BID
名称:477
链接:http://www.securityfocus.com/bid/477
来源:MS
名称:MS99-022
链接:http://www.microsoft.com/technet/security/bulletin/ms99-022.mspx
来源:MSKB
名称:Q233335
链接:http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;Q233335
来源:NSFOCUS
名称:3425
链接:http://www.nsfocus.net/vulndb/3425